What is an SSL certificate and why do I need one?
What is an SSL Certificate?
An SSL (Secure Socket Layer) certificate is a digital certificate used to provide a secure connection between a website and your web browser. Any information sent via this secure connection is only readable by you and the intended website.
Does my website need an SSL certificate?
The short answer is... YES!
Any website that is collecting sensitive or personal information (i.e. usernames and passwords, credit cards details) needs an SSL certificate to be installed to encrypt this information in transit. Without this, any server between your customers' web browser and your application server can read this information, and if any of those servers are compromised then your customers could fall victim to a man-in-the-middle attack and identity theft.
As you can obtain an SSL certificate for free and install it with minimal effort, your website really should have an SSL certificate, regardless if you are collecting sensitive/personal information or not.
Benefits of using an SSL Certificate
Using an SSL Certificate to serve your website via HTTPS rather than HTTP has several benefits, including:-
- Encrypted end-to-end communication - Any information sent back and forth between your web browser and the website is private and secure.
- Enhanced customer trust - With the padlock displayed in the address bar, your customers are more likely to trust and have confidence in your website. Websites which do not have an SSL certificate installed are now being shown with "Not Secure" in the address which will damage customer trust and confidence.
- SEO - Search engines prioritise content served over HTTPS before content served over HTTP.
What types of SSL Certificates are there?
Domain Validation (DV) certificates
Domain Validation checks to see if you own the domain name you are requesting an SSL certificate for and this is usually done by placing a file on your website or by adding DNS record which the SSL provider can check and verify.
These certificates are quick to get issued, easy to install and typically free which makes them ideal for blogs, side projects, community sites, startups etc.
Organisation Validation (OV) certificates
The validation process takes longer with an Organisation Validation certificate as the organisation's identity needs to be verified before the SSL provider can issue the certificate. This organisation's information is included within the issued SSL certificate.
These types of certificate can instil further trust as the organisation needs to be verified which means they are less likely to be used for spam or phishing purposes than DV certificates.
Extended Validation (EV) certificates
For completeness, I'll mention extended validation certificates. One on the main benefits of Extended Validation certificates was a green visual indicator in the address bar which included the company name.
However, major browsers like Google and Firefox have been removed this green visual indicator (Organisation information is still available but not in plain view) making EV and OV certificates visually identical to free alternatives
Given that DV, OV and EV certificates appear visually identical, many don't consider EV certificates worth the cost anymore (for further reading see Extended Validation Certificates are (Really, Really) Dead by Troy Hunt
How much does an SSL certificate cost?
SSL certificate costs can vary from free to several hundred dollars depending on which type of certificate you required but you can obtain a free DV certificate and be up and running within minutes via LetsEncrypt
So, as OV & EV certificates are visually identical to free DV certificates why would you want to pay for an OV or EV certificate. There are a couple of reasons
- OV & EV certificates still include the organisation information whereas a DV certificate only contains information about the domain this it is issued for. The organisation's information can be revealed by clicking on the padlock in the address bar and viewing the certificate.
- OV & EV certificates can come with a large warranty (GlobalSign: up to $1.5 million) should the certificate be issued incorrectly and cause the end-user any harm, whereas DV certificates come with no warranty.
By now you are aware of what an SSL certificate is and why you should be using one so now we can look at how to request and install an SSL certificate.
We are busy writing this next instalment, so please take a moment to subscribe to our newsletter using the form to the right and we will notify you as soon as it goes live!
- Let's Encrypt - Free SSL/TLS Certificates
- Extended Validation Certificates are (Really, Really) Dead
- Intent to Ship: Move Extended Validation Information out of the URL bar (12th August 2019)
- Upcoming Change to Chrome's Identity Indicators (8th September 2019)
Originally published at https://chrisshennan.com/blog/what-is-an-ssl-certificate-and-why-do-i-need-one